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DETAILED ACTION 

1 . This Office Action is directed towards the Applicant's response filed 8-20-2009. 
Claims 1, 2, 4-12, 14-20, 22, and 24-35 are pending and have been examined. 

Drawings 

2. The drawings were received on 8-20-2009. These drawings are approved. 

Response to Arguments 

3. Applicant's arguments filed 8-20-2009 have been fully considered but they are 
not persuasive. 

The Applicant argues that the rejections of the claims under 35 USC Sec. 102(e) 
as anticipated by Cowie et al. US 2003/0023865 are improper because Cowie fails to 
teach the features of: obtaining a signature of a steganographic program, and obtaining 
the signature of the program by reading code comprising a partial section of the 
program. 

The Examiner considers that Richer teaches a use of a steganographic program 
(page 4: Tools Used to Hide Information, page 6: Detecting Hidden Information with 
Various Resources: 1 .) Guidance Software Inc.). The rejections have been modified to 
reflect this newly added limitation of the independent claims. 

The Examiner points to Cowie (abstract, figure 5 elements 16-20, figure 6 
elements 32-35, paragraphs [006], [007], [0030], [0033], and [0034]) for a teaching of 
the feature of reading of a partial section of the program code. In Cowie, header data is 
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described as part of the program (see esp. [0030]). The Examiner considers that the 
invention of Cowie, where only the header data is read and utilized in the generation of 
a signature, teaches the claimed feature of reading of a partial section of the program 
code for signature generation. 

The Applicant argues that the rejections of the claims under 35 USC Sec. 103(a) 
as unpatentable over Cowie and Richer are improper because, both singly and in 
combination, the references fail to teach a steganographic program as set forth in the 
claims. The Applicant argues that Richer fails to disclose any "specific or detailed 
description" of the operation of the programs taught by that reference. The Examiner 
considers that this does not distinguish the claimed invention from Richer since the 
Applicant's claims do not offer such a specific or detailed description of the operation of 
the steganographic programs set forth in the claims. Richer teaches the feature of a 
steganographic program that introduces steganographic items into a computer file 
(page 4: Tools Used to Hide Information", page 6: Detecting Hidden Information With 
Various Resources: 1.) Guidance Software Inc.) 



Claim Rejections - 35 USC §112 

4. The following is a quotation of the second paragraph of 35 U.S.C. 112: 



The specification shall conclude with one or more claims particularly pointing out and distinctly 
claiming the subject matter which the applicant regards as his invention. 
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5. Claim 35 is rejected under 35 U.S.C. 112, second paragraph, as being indefinite 
for failing to particularly point out and distinctly claim the subject matter which applicant 
regards as the invention. 

Claim 35 recites computer-implemented "means plus function" limitations that 
invoke 35 USC Sec. 1 12 6 th paragraph. As such, the corresponding structure disclosed 
in the Applicant's Specification for a computer-implemented function must include the 
algorithm as well as any general purpose computer or processor that performs the 
function. In order to support such "means plus function" language in the claims, the 
written description of the Applicant's Specification must at least disclose the algorithm 
that transforms the general purpose computer or processor into a special purpose 
computer-programmed to perform the disclosed algorithm that performs the claimed 
function. The Examiner finds that the Applicant's Specification lacks a sufficiently 
detailed description of any algorithm that carries out the functions set forth in claim 35 
and therefore the claim is indefinite under 35 USC Sec. 1 12 6 th paragraph. See MPEP 
Sec. 2181 for examples where the courts have held that the corresponding structure 
disclosed in the Applicant's Specification is adequate for such a computer-implemented 
"means plus function" limitation. 

Claim Rejections - 35 USC § 103 

6. The following is a quotation of 35 U.S.C. 1 03(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 
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(a) A patent may not be obtained though the invention is not identically disclosed or described as set 
forth in section 102 of this title, if the differences between the subject matter sought to be patented and 
the prior art are such that the subject matter as a whole would have been obvious at the time the 
invention was made to a person having ordinary skill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was made. 

9. Claims 1, 2, 5, 6, 8-12, 14-16, 18-20, 22, 24-26 and 28-35 are rejected under 35 
U.S.C. 1 03(a) as being unpatentable over Cowie et al. US 2003/0023865 A1 , and Pierre 
Richer: SANS/GIAC Practical Assignment for GSEC Certification Version 1 .4b: 
Steganalysis: Detecting hidden information with computer forensic analysis, SANS 
Institute 2003 (Submitted with the Applicant's IDS). 

As for claim 1 , Cowie teaches a method, comprising, obtaining a signature by 
reading code comprising a partial section of a program, (fig. 5: element 18, [0015], 
[0034], [0048]) comparing the signature with one or more computer files (fig. 5: element 
18, [0015], [0034], [0048]), and, displaying a listing of which of the one or more 
computer-files provide a match with the signature (fig. 6 element 46, [0050]). Cowie 
fails to teach the feature where the computer-program is a steganographic program 
configured to introduce steganographic items into a computer file. . However Richer 
does teach such a feature (page 4: Tools Used to Hide Information, page 6: Detecting 
Hidden Information With Various Resources: 1 .) Guidance Software Inc. where 
comparisons of an original file MD5 hash is made with a MD5 hash of a suspect file in 
order to detect steganographically embedded data). Therefore it would have been 
obvious to one of ordinary skill in the art at the time the invention was made to 
incorporate this feature into the system of Cowie. It would have been obvious to do so 
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since this would extend the types of programs that can be evaluated for embedded 
malware detectable via the comparison step of Cowie. 

As for claim 2, Cowie teaches a method according to claim 1 wherein the 
indication incorporates an identification of the item's location in the computer system 
([0048] - [0050]). 

As for claim 5, Cowie teaches a method according to claim 1, where an asserted 
file type is ignored when comparing files with the signature ([0048], [0050]: non WIN32 
PE files excluded). 

As for claim 6, Cowie teaches a method according to claim 1 wherein the step of 
comparing the signature with files is for each file preceded by checking the respective 
real file type by reading the start of the file and excluding files having prearranged initial 
byte sequences from comparing with the signature (fig. 6 element 32, [0049]: initial byte 
sequence is used to determine if file is a WIN32 PE file and if not, exclude it from further 
processing). 

As for claim 9, Cowie teaches a method according to claim 1 wherein the one or 
more computer files comprise self-extracting executable files ([0006]). 
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As for claim 10, Cowie teaches a method according to claim 1 wherein some 
prearranged files are not identified in the listing despite containing code which matches 
a signature ([0050]). 

As for claims 1 1 , the claim is directed towards the apparatus carrying out the 
method of claims 1 . Claim 1 1 recites substantially the same limitations as claims 1 and 
therefore is rejected on the same basis as that claim. 

As for claim 12, Cowie teaches a method according to claim 1 wherein the 
indication incorporates an identification of the matching signature ([0048] - [0050]). 

As for claim 14, Cowie teaches the apparatus according to claim 1 1 where the 
code of the signature comprises a continuous sequence of the partial section of the 
program code (fig. 5: element 18, [0015], [0034], [0048]). 

Claim 15 represents the apparatus carrying out the method steps of claim 5. 
Claim 15 recites substantially the same limitation as claim 5 and is therefore rejected 
on the same basis as that claim. 

As for claim 34, Cowie teaches the apparatus according to claim 15, wherein the 
one or more predetermined file types are a graphics editor ([0030]: WIN32 PE file type 
includes graphics editors). 
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As for claim 1 6, Cowie teaches the apparatus of claim 1 1 wherein the partial 
section of code comprises a start of the computer file, and wherein files having a 
prearranges initial byte sequence are excluded for comparison (fig. 6 element 32, 
[0030]: file header is examined to determine if the file is a WIN32 PE file, a byte 
sequence is inherent for any such sequence of digital data). 

As for claim 19, Cowie teaches the apparatus according to claim 1 1 wherein the 
one or more files comprise polymorphic files (fig. 5 element 16, [0048]: Trojan 
containing files include polymorphic malware). 

As for claim 20, Cowie teaches the apparatus according to claim 1 1 wherein one 
or more predetermined files are not indicated despite containing code which matches a 
signature ([0048], [0050]: non WIN32 PE files excluded). 

As for claim 31 , the claim is directed towards a computer program product that 
directs a processor to carry out the method of claim 1 . Claim 31 recites substantially the 
same limitations as claims 1 and is therefore is rejected on the same basis as that 
claim. 
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As for claim 22, Cowie teaches the computer-program product of claim 1 1 further 
comprising identifying a steganographic item responsible for the match ([0048] - [0050]: 
Trojan signature). 

As for claim 24, Cowie teaches the computer-program product of claim 1 1 , 
wherein the signature comprises a continuous sequence of program code but not more 
than 5% or less than 0.167% of the program (fig. 5: element 18, [0015], [0034], [0048]: 
header data is used for the signature). 

As for claim 25, Cowie teaches the computer-program product of claim 31 
wherein an asserted file type is not compared with the signature ([0048], [0050]: non 
WIN32 PE files excluded). 

As for claim 26, this claim is directed towards the computer-program product that 
directs a processor to carry out the method of claim 16. Claim 26 recites substantially 
the same limitations as claim 16 and is therefore rejected on the same basis as that 
claim. 

As for claim 29, this claim is directed towards the computer-program product that 
directs a processor to carry out the method of claim 9. Claim 29 recites substantially 
the same limitations as claim 9 and is therefore rejected on the same basis as that 
claim. 
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As for claim 30, this claim is directed towards the computer-program product that 
directs a processor to carry out the method of claimlO. Claim 30 recites substantially 
the same limitations as claim 10 and is therefore rejected on the same basis as that 
claim. 

As for claim 32, Cowie teaches the computer-readable medium of claim 31 , 
wherein the method further comprises executing the one or more files, and wherein the 
comparison is made prior to executing the one or more files ([0030]-[0031]: 
identification of banned game programs prior to being run on a business computer). 

As for claim 33, Cowie teaches the method of claim 1, further comprising running 
a virus checking program while comparing the signature with one or more computer 
files (fig. 5: element 18, [0015], [0034], [0048]: the signature comparison algorithm of 
Cowie is an anti-viral program). 

As for claim 35, this claim is directed towards a "means plus function" claim that 
corresponds to claim 1 . Claim 35 recites substantially the same limitations as claim 1 
and is therefore rejected on the same basis as that claim. 

As for claims 8, 18, and 28, each of these claims is directed to the case where 
the file is a deleted or logical wastebasket file. Cowie teaches this feature ([0030]: 



Application/Control Number: 10/577,660 
Art Unit: 2437 

WIN32 PE file type includes such files). 



Page 1 1 



10. Claim 4 is rejected under 35 U.S.C. 103(a) as being unpatentable over Cowie 
and Richer as applied to claim 1 above, and further in view of Charbonneau, US 
7,526,654. 

As for claim 4, the combination of Cowie and Richer teaches the method 
according to claim 1 , but not explicitly wherein the code that is read is a .DDL file. 
However, Charbonneau does teach such a feature (col. 5 lines 10-20). Therefore it 
would have been obvious to one of ordinary skill in the art at the time the invention was 
made to incorporate this feature into the system of Cowie and Richer. It would have 
been obvious to do so since this would extend the types of files where embedded 
malware is detectable via the comparison step of Cowie. 

Allowable Subject Matter 

1 1 . Claims 7, 17, and 27 are objected to as being dependent upon a rejected base 
claim, but would be allowable if rewritten in independent form including all of the 
limitations of the base claim and any intervening claims. 

Conclusion 

12. Applicant's amendment necessitated the new ground(s) of rejection presented in 
this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP 
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§ 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 
CFR 1.136(a). 

A shortened statutory period for reply to this final action is set to expire THREE 
MONTHS from the mailing date of this action. In the event a first reply is filed within 
TWO MONTHS of the mailing date of this final action and the advisory action is not 
mailed until after the end of the THREE-MONTH shortened statutory period, then the 
shortened statutory period will expire on the date the advisory action is mailed, and any 
extension fee pursuant to 37 CFR 1 .136(a) will be calculated from the mailing date of 
the advisory action. In no event, however, will the statutory period for reply expire later 
than SIX MONTHS from the date of this final action. 

1 3. Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Paul E. Callahan whose telephone number is (571) 272- 
3869. The examiner can normally be reached on M-F from 9 to 5. 

If attempts to reach the examiner by telephone are unsuccessful, the Examiner's 
supervisor, Emmanuel Moise, can be reached on (571) 272-3865. The fax phone 
number for the organization where this application or proceeding is assigned is: (571) 
273-8300. 

Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
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For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free). 

/PEC/ 
AU2437 



/Emmanuel L. Moise/ 

Supervisory Patent Examiner, Art Unit 2437 



